[cap-talk] top-to-bottom

[David-Sarah Hopwood]

ross mcginnis wrote:
> I've been wondering if you had a top-to-bottom cap based desktop what sort
> of user account management system would be best implemented (this is w.r.t
> a typical personal use computer with users in an every day setting, not somethin.
>  
> Would you emulate the traditional root/superuser account paradigm where
> only one single entity has the authority to create and manage all the
> other accounts (presumably this could be emulated by designing an account
> creation object which is a trusted code object that tightly holds a
> create-user cap)?

Why would you do that? The arguments in favour of being able to delegate
account creation authority, are just the same as for any other authority.
Imposing an identity-based access check on who can create accounts would be
completely unnatural for a capability design.

Note that accounts are much less important in the design of a pure
capability system, since you don't need to create an account in order
to create a new subject that can have independent authorities. They
might be used for resource accounting (although there are also likely
to be finer-grained units of resource accounting, such as space banks),
or for assigning responsibility in a Horton-like protocol. For those
purposes there is no need to place draconian restrictions on their
creation.

> Or perhaps design something more fluid (and a very big break from standard)
> such as where you have a deliberately free create-user cap and if any user
> possesses it they can create a new user and also they can discretionally
> choose whether to pass the cap onto the newly created user or not?

That's a much more obvious design for a pure cap system.

> This also raises other design questions regarding related issues such as
> removing accounts.

This is just another authority. Probably, creating an account gives you
a control facet that allows removing it.

-- 
David-Sarah Hopwood ⚥